I have a client that is getting heavily spammed.. it's the 15th of the month and POP3 bandwidth is almost 100 GB (yes GB..lol!) there are only 7 e-mail account on this domain. I installed SpamAssassin set it to 5 and setup 10-20 filters reject most of the junk. I don't see much of a change in POP3 bandwidth. Correct me if I'm wrong, the server still receives the message using up bandwidth in order to analyze determine a spam score.
I stumbled across faking MX records, for thoes unaware--basically you set a bogus server as the lowest and highest MX records with the working server's MX record in the middle.
For example:
fake.mydomain.com 1
realmx.mydomain.com 2
fake2.mydomain.com 3
The theory is, since majority of the spam is generated from Windows-based zombies and quite a few will query for the the highest MX record to spam since usually they're usually backup servers that don't filter spam. The lowest fake MX-record is for the rest of the spammers.. and generally spammers don't retry after failures.
Has anyone tried this? Does it help? Does it delay or cause issues with mail delivery? Does anyone else have a better solution?
-
I've never heard of this method before and I can imagine it would delay legitimate email potentially by several hours. At the end of the day, the smtp protocols need to deliver your legitimate email. The valid servers will hit the bogus mx record and try to deliver to that server... I don't know what you might have running there (if anything), but they will keep trying until it's accepted.
Proper servers will keep trying the MX records until the mail is delivered. Spammers tend to get smarter and if this works for some spam software now, I doubt it'll work for long. I can't recommend it.
My suggestion is instead to look at using an smtp tarpit in addition to your existing spam filter. There are a number of these available now. I think you'll find it's much more effective than the fake mx record method.
Such tarpits come with smtpd on BSD. There are also some tarpitting features in sendmail 8.13.
Basically, a tarpit works by tying up spam server resources. They do that by delaying the responses they get. e.g. the spam server connects and receives about 1 byte per second.
Some of the tarpit servers look for spam patterns and can recognize a spam server. Legitimate servers will be prepared to wait through a slow response. In some tarpits servers they move the legitimately recognized server onto a whitelist automatically so there is no delay in the future.Google SMTP Tarpit and take a look.
Mikey1980 : Thanks for the suggestion, but my client is a Web Design firm (their client is the one with the issue) running 100s of low traffic sites on shared host and the WHM has no root access or SSH.. stuck with SpamAssassin.. btw Exim is the exchange. Forgive me if this isn't clear.. my fortay is programming..I'd probably make a horrible sysadmin!Matt : I'm a programmer as well, but have spent quite a number of hours running my old company's freebsd servers doing all manner of things.From Matt -
You didn't mention it, so is there a reason you're not using a DNSBL?
Edit: SpamAssassin includes support for a few of them - without them, you'll be wasting a lot of CPU cycles analyzing spam.
Mikey1980 : Another great suggestion, however I am really limited since my clients WHM isn't root.. according to webalizer, enabling SpamAssassin has made next to no impact on bandwidth in the last 12 hoursdanlefree : ... then your best bet would be to push all mail services through Google Apps or use another third-party service to mitigate spam *if* your client's hosting provider is not willing to tinker with SpamAssassin's configuration.Mikey1980 : Any idea if DNSBL or RBL are enabled by deafult? You'd think they would be. I agree, I'm starting to think a front-end MX filtering is going to be the only solution.danlefree : @Mikey1980 - "Any idea if DNSBL or RBL are enabled by deafult?" Sorry, couldn't say - best to inquire directly with the provider in any case because there is a possibility they apply their own configuration.ZippyV : You can check if the emailserver filters spam based on the DNSBL: http://www.spamhaus.org/faq/answers.lasso?section=DNSBL%20Usage#205From danlefree -
Do yourself a favor and set them up with a gateway anti-spam service such as Postini. For a few dollars per mailbox per month, there's absolutely no reason not to and you'll not only eliminate 99% of your spam, you'll also enjoy having access to their spool service (handy for scheduled or unscheduled downtime), not to mention the bandwidth savings by letting someone else receive and process all that spam before it hits the edge of your network.
Not a Postini employee, just a happy user who's also setup dozens of clients with it.
Mikey1980 : thanks for the suggestion, that's plan B (plan C being renaming their e-mail address..lol) I do like the idea of SaaS or Front-end filteringMikey1980 : Although it's the the answer I wanted to hear.. my client went with Google Postini, the SPAM was out of control and without root access seemed like the only option--many thanks for the tip!gravyface : You'll love it man. Seriously: being able to turn on spooling when you're working on the server is great. Also I use them as an upstream smarthost and lock down the firewall accordingly so no matter what boxes get owned on my network(s) (including the mail server(s)), they can only talk to Postini's SMTP servers, which does outbound filtering as well.From gravyface -
I've tried this, and I can strongly recommend that you DON'T DO IT! It seemed like a good idea at the time, but after mail from various senders starting disappearing, I realized that it was a mistake. What I didn't realize was that there are lots of terribly written SMTP servers out there, that don't follow the spec and are fairly retarded about handling errors, and people don't know or care because "this other guy got my email, so it must be you".
I second some of the other suggestions for handling SPAM. Postini is a great service, and even the built in anti-spam stuff in the free google apps isn't that bad. If you want more control you can buy an IronPort or other device, or roll your own.
Mikey1980 : Thanks Jed, exactly what I wanted.. a first-hand experience. I never thought about SMTP issues, too focused on the incoming +1Ryan Gooler : I work for an Anti-Spam company (Red Condor) and we have the highest priority records for most of our customers set to a blackhole address. However, we do have some customers remove that, because silly people write legit mailservers that only bomb that address. However, going with a SaaS hosted provider will let you offload the bandwidth load for cheap.Mikey1980 : @Ryan--thanks! Do you have your "blackhole" reporting `server-busy` or is it completely dead?From Jed Daniels -
As far as mail filtering goes, I've been vary happy with combination of Spamassasin and policyd-weight, which checks sender hostname and blocklists during SMTP connection. That is a great thing for two reasons:
- you have to process the rejected e-mail with spamassasin, which spares you system resources (bayesian analysis takes some time) and bandwidth
- sender hosts get rejected, so in the unlikely event of blocking legitimate e-mail its sender gets a delivery failure notification
I'm using the setup on Postfix, but supposedly there is a way to install policyd-weight with Exim.
From che
0 comments:
Post a Comment